DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Deploy GitHub Pages

Browse source
This commit is contained in:
Travis Bot 2018-05-03 14:08:21 +00:00
parent a078100980
commit 467b6d7499
54 changed files with 5641 additions and 2237 deletions
Download patch file Download diff file Expand all files Collapse all files

317
user-guide/tls/index.html
View file

@ -36,7 +36,7 @@
<title>TLS - NGINX Ingress Controller</title>
<title>TLS/HTTPS - NGINX Ingress Controller</title>
@ -95,7 +95,7 @@
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="search" autocomplete="off">
<label class="md-overlay" data-md-component="overlay" for="drawer"></label>
<a href="#tls" tabindex="1" class="md-skip">
<a href="#tlshttps" tabindex="1" class="md-skip">
Skip to content
</a>
@ -121,7 +121,7 @@
NGINX Ingress Controller
</span>
<span class="md-header-nav__topic">
TLS
TLS/HTTPS
</span>
@ -246,7 +246,7 @@
<li class="md-tabs__item">
<a href="../../examples/PREREQUISITES/" title="Examples" class="md-tabs__link">
<a href="../../examples/" title="Examples" class="md-tabs__link">
Examples
</a>
@ -360,6 +360,18 @@
</li>
<li class="md-nav__item">
<a href="../../deploy/upgrade/" title="Upgrading" class="md-nav__link">
Upgrading
</a>
</li>
</ul>
</nav>
</li>
@ -499,6 +511,18 @@
<li class="md-nav__item">
<a href="../default-backend/" title="Default backend" class="md-nav__link">
Default backend
</a>
</li>
<li class="md-nav__item">
<a href="../exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
@ -536,8 +560,8 @@
<li class="md-nav__item">
<a href="../multiple-ingress/" title="Multiple ingress controllers" class="md-nav__link">
Multiple ingress controllers
<a href="../multiple-ingress/" title="Multiple Ingress controllers" class="md-nav__link">
Multiple Ingress controllers
</a>
</li>
@ -569,11 +593,11 @@
<label class="md-nav__link md-nav__link--active" for="toc">
TLS
TLS/HTTPS
</label>
<a href="./" title="TLS" class="md-nav__link md-nav__link--active">
TLS
<a href="./" title="TLS/HTTPS" class="md-nav__link md-nav__link--active">
TLS/HTTPS
</a>
@ -586,6 +610,13 @@
<label class="md-nav__title" for="toc">Table of contents</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="#tls-secrets" title="TLS Secrets" class="md-nav__link">
TLS Secrets
</a>
</li>
<li class="md-nav__item">
<a href="#default-ssl-certificate" title="Default SSL Certificate" class="md-nav__link">
Default SSL Certificate
@ -626,14 +657,20 @@
Default TLS Version and Ciphers
</a>
</li>
<li class="md-nav__item">
<nav class="md-nav">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#legacy-tls" title="Legacy TLS" class="md-nav__link">
Legacy TLS
</a>
</li>
</ul>
</nav>
</li>
@ -653,13 +690,13 @@
<li class="md-nav__item md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-3-10" type="checkbox" id="nav-3-10">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-3-11" type="checkbox" id="nav-3-11">
<label class="md-nav__link" for="nav-3-10">
<label class="md-nav__link" for="nav-3-11">
Third party addons
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="2">
<label class="md-nav__title" for="nav-3-10">
<label class="md-nav__title" for="nav-3-11">
Third party addons
</label>
<ul class="md-nav__list" data-md-scrollfix>
@ -724,8 +761,8 @@
<li class="md-nav__item">
<a href="../../examples/PREREQUISITES/" title="Prerequisites" class="md-nav__link">
Prerequisites
<a href="../../examples/" title="Ingress examples" class="md-nav__link">
Ingress examples
</a>
</li>
@ -736,8 +773,8 @@
<li class="md-nav__item">
<a href="../../examples/README/" title="Ingress examples" class="md-nav__link">
Ingress examples
<a href="../../examples/PREREQUISITES/" title="Prerequisites" class="md-nav__link">
Prerequisites
</a>
</li>
@ -809,6 +846,18 @@
</li>
<li class="md-nav__item">
<a href="../../examples/auth/oauth-external-auth/README/" title="External Authentication" class="md-nav__link">
External Authentication
</a>
</li>
</ul>
</nav>
</li>
@ -899,8 +948,8 @@
<li class="md-nav__item">
<a href="../../examples/customization/custom-vts-metrics-prometheus/README/" title="Deploying the Nginx Ingress controller" class="md-nav__link">
Deploying the Nginx Ingress controller
<a href="../../examples/customization/custom-vts-metrics-prometheus/README/" title="Custom VTS metrics with Prometheus" class="md-nav__link">
Custom VTS metrics with Prometheus
</a>
</li>
@ -923,8 +972,8 @@
<li class="md-nav__item">
<a href="../../examples/customization/ssl-dh-param/README/" title="Deploying the Nginx Ingress controller" class="md-nav__link">
Deploying the Nginx Ingress controller
<a href="../../examples/customization/ssl-dh-param/README/" title="Custom DH parameters for perfect forward secrecy" class="md-nav__link">
Custom DH parameters for perfect forward secrecy
</a>
</li>
@ -963,18 +1012,6 @@
<li class="md-nav__item">
<a href="../../examples/external-auth/README/" title="External Authentication" class="md-nav__link">
External Authentication
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/multi-tls/README/" title="Multi TLS certificate termination" class="md-nav__link">
Multi TLS certificate termination
@ -1079,6 +1116,13 @@
<label class="md-nav__title" for="toc">Table of contents</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="#tls-secrets" title="TLS Secrets" class="md-nav__link">
TLS Secrets
</a>
</li>
<li class="md-nav__item">
<a href="#default-ssl-certificate" title="Default SSL Certificate" class="md-nav__link">
Default SSL Certificate
@ -1119,14 +1163,20 @@
Default TLS Version and Ciphers
</a>
</li>
<li class="md-nav__item">
<nav class="md-nav">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#legacy-tls" title="Legacy TLS" class="md-nav__link">
Legacy TLS
</a>
</li>
</ul>
</nav>
</li>
@ -1147,141 +1197,82 @@
<a href="https://github.com/kubernetes/ingress-nginx/edit/master/docs/user-guide/tls.md" title="Edit this page" class="md-icon md-content__icon">&#xE3C9;</a>
<h1 id="tls">TLS<a class="headerlink" href="#tls" title="Permanent link">&para;</a></h1>
<ul>
<li><a href="#default-ssl-certificate">Default SSL Certificate</a></li>
<li><a href="#ssl-passthrough">SSL Passthrough</a></li>
<li><a href="#server-side-https-enforcement">HTTPS enforcement</a></li>
<li><a href="#http-strict-transport-security">HSTS</a></li>
<li><a href="#server-side-https-enforcement-through-redirect">Server-side HTTPS enforcement through redirect</a> </li>
<li><a href="#automated-certificate-management-with-kube-lego">Kube-Lego</a></li>
<li><a href="#default-tls-version-and-ciphers">Default TLS Version and Ciphers</a></li>
<li><a href="#legacy-tls">Legacy TLS</a></li>
</ul>
<h1 id="tlshttps">TLS/HTTPS<a class="headerlink" href="#tlshttps" title="Permanent link">&para;</a></h1>
<h2 id="tls-secrets">TLS Secrets<a class="headerlink" href="#tls-secrets" title="Permanent link">&para;</a></h2>
<p>Anytime we reference a TLS secret, we mean a PEM-encoded X.509, RSA (2048) secret.</p>
<p>You can generate a self-signed certificate and private key with with:</p>
<div class="codehilite"><pre><span></span>$ openssl req -x509 -nodes -days <span class="m">365</span> -newkey rsa:2048 -keyout <span class="si">${</span><span class="nv">KEY_FILE</span><span class="si">}</span> -out <span class="si">${</span><span class="nv">CERT_FILE</span><span class="si">}</span> -subj <span class="s2">&quot;/CN=</span><span class="si">${</span><span class="nv">HOST</span><span class="si">}</span><span class="s2">/O=</span><span class="si">${</span><span class="nv">HOST</span><span class="si">}</span><span class="s2">&quot;</span><span class="sb">`</span>
</pre></div>
<p>Then create the secret in the cluster via:</p>
<div class="codehilite"><pre><span></span>kubectl create secret tls <span class="si">${</span><span class="nv">CERT_NAME</span><span class="si">}</span> --key <span class="si">${</span><span class="nv">KEY_FILE</span><span class="si">}</span> --cert <span class="si">${</span><span class="nv">CERT_FILE</span><span class="si">}</span>
</pre></div>
<p>The resulting secret will be of type <code class="codehilite">kubernetes.io/tls</code>.</p>
<h2 id="default-ssl-certificate">Default SSL Certificate<a class="headerlink" href="#default-ssl-certificate" title="Permanent link">&para;</a></h2>
<p>NGINX provides the option to configure a server as a catch-all with <a href="http://nginx.org/en/docs/http/server_names.html">server_name</a> for requests that do not match any of the configured server names. This configuration works without issues for HTTP traffic.
In case of HTTPS, NGINX requires a certificate.
For this reason the Ingress controller provides the flag <code class="codehilite">--default-ssl-certificate</code>. The secret behind this flag contains the default certificate to be used in the mentioned scenario. If this flag is not provided NGINX will use a self signed certificate.</p>
<p>Running without the flag <code class="codehilite">--default-ssl-certificate</code>:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> curl -v https://10.2.78.7:443 -k
<span class="go">* Rebuilt URL to: https://10.2.78.7:443/</span>
<span class="go">* Trying 10.2.78.4...</span>
<span class="go">* Connected to 10.2.78.7 (10.2.78.7) port 443 (#0)</span>
<span class="go">* ALPN, offering http/1.1</span>
<span class="go">* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH</span>
<span class="go">* successfully set certificate verify locations:</span>
<span class="go">* CAfile: /etc/ssl/certs/ca-certificates.crt</span>
<span class="go"> CApath: /etc/ssl/certs</span>
<span class="go">* TLSv1.2 (OUT), TLS header, Certificate Status (22):</span>
<span class="go">* TLSv1.2 (OUT), TLS handshake, Client hello (1):</span>
<span class="go">* TLSv1.2 (IN), TLS handshake, Server hello (2):</span>
<span class="go">* TLSv1.2 (IN), TLS handshake, Certificate (11):</span>
<span class="go">* TLSv1.2 (IN), TLS handshake, Server key exchange (12):</span>
<span class="go">* TLSv1.2 (IN), TLS handshake, Server finished (14):</span>
<span class="go">* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):</span>
<span class="go">* TLSv1.2 (OUT), TLS change cipher, Client hello (1):</span>
<span class="go">* TLSv1.2 (OUT), TLS handshake, Finished (20):</span>
<span class="go">* TLSv1.2 (IN), TLS change cipher, Client hello (1):</span>
<span class="go">* TLSv1.2 (IN), TLS handshake, Finished (20):</span>
<span class="go">* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256</span>
<span class="go">* ALPN, server accepted to use http/1.1</span>
<span class="go">* Server certificate:</span>
<span class="go">* subject: CN=foo.bar.com</span>
<span class="go">* start date: Apr 13 00:50:56 2016 GMT</span>
<span class="go">* expire date: Apr 13 00:50:56 2017 GMT</span>
<span class="go">* issuer: CN=foo.bar.com</span>
<span class="go">* SSL certificate verify result: self signed certificate (18), continuing anyway.</span>
<span class="gp">&gt;</span> GET / HTTP/1.1
<span class="gp">&gt;</span> Host: <span class="m">10</span>.2.78.7
<span class="gp">&gt;</span> User-Agent: curl/7.47.1
<span class="gp">&gt;</span> Accept: */*
<span class="gp">&gt;</span>
<span class="go">&lt; HTTP/1.1 404 Not Found</span>
<span class="go">&lt; Server: nginx/1.11.1</span>
<span class="go">&lt; Date: Thu, 21 Jul 2016 15:38:46 GMT</span>
<span class="go">&lt; Content-Type: text/html</span>
<span class="go">&lt; Transfer-Encoding: chunked</span>
<span class="go">&lt; Connection: keep-alive</span>
<span class="go">&lt; Strict-Transport-Security: max-age=15724800; includeSubDomains; preload</span>
<span class="go">&lt;</span>
<span class="go">&lt;span&gt;The page you&#39;re looking for could not be found.&lt;/span&gt;</span>
<span class="go">* Connection #0 to host 10.2.78.7 left intact</span>
</pre></div>
<p>Specifying <code class="codehilite">--default-ssl-certificate=default/foo-tls</code>:</p>
<div class="codehilite"><pre><span></span><span class="gp">core@localhost ~ $</span> curl -v https://10.2.78.7:443 -k
<span class="go">* Rebuilt URL to: https://10.2.78.7:443/</span>
<span class="go">* Trying 10.2.78.7...</span>
<span class="go">* Connected to 10.2.78.7 (10.2.78.7) port 443 (#0)</span>
<span class="go">* ALPN, offering http/1.1</span>
<span class="go">* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH</span>
<span class="go">* successfully set certificate verify locations:</span>
<span class="go">* CAfile: /etc/ssl/certs/ca-certificates.crt</span>
<span class="go"> CApath: /etc/ssl/certs</span>
<span class="go">* TLSv1.2 (OUT), TLS header, Certificate Status (22):</span>
<span class="go">* TLSv1.2 (OUT), TLS handshake, Client hello (1):</span>
<span class="go">* TLSv1.2 (IN), TLS handshake, Server hello (2):</span>
<span class="go">* TLSv1.2 (IN), TLS handshake, Certificate (11):</span>
<span class="go">* TLSv1.2 (IN), TLS handshake, Server key exchange (12):</span>
<span class="go">* TLSv1.2 (IN), TLS handshake, Server finished (14):</span>
<span class="go">* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):</span>
<span class="go">* TLSv1.2 (OUT), TLS change cipher, Client hello (1):</span>
<span class="go">* TLSv1.2 (OUT), TLS handshake, Finished (20):</span>
<span class="go">* TLSv1.2 (IN), TLS change cipher, Client hello (1):</span>
<span class="go">* TLSv1.2 (IN), TLS handshake, Finished (20):</span>
<span class="go">* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256</span>
<span class="go">* ALPN, server accepted to use http/1.1</span>
<span class="go">* Server certificate:</span>
<span class="go">* subject: CN=foo.bar.com</span>
<span class="go">* start date: Apr 13 00:50:56 2016 GMT</span>
<span class="go">* expire date: Apr 13 00:50:56 2017 GMT</span>
<span class="go">* issuer: CN=foo.bar.com</span>
<span class="go">* SSL certificate verify result: self signed certificate (18), continuing anyway.</span>
<span class="gp">&gt;</span> GET / HTTP/1.1
<span class="gp">&gt;</span> Host: <span class="m">10</span>.2.78.7
<span class="gp">&gt;</span> User-Agent: curl/7.47.1
<span class="gp">&gt;</span> Accept: */*
<span class="gp">&gt;</span>
<span class="go">&lt; HTTP/1.1 404 Not Found</span>
<span class="go">&lt; Server: nginx/1.11.1</span>
<span class="go">&lt; Date: Mon, 18 Jul 2016 21:02:59 GMT</span>
<span class="go">&lt; Content-Type: text/html</span>
<span class="go">&lt; Transfer-Encoding: chunked</span>
<span class="go">&lt; Connection: keep-alive</span>
<span class="go">&lt; Strict-Transport-Security: max-age=15724800; includeSubDomains; preload</span>
<span class="go">&lt;</span>
<span class="go">&lt;span&gt;The page you&#39;re looking for could not be found.&lt;/span&gt;</span>
<span class="go">* Connection #0 to host 10.2.78.7 left intact</span>
</pre></div>
<p>NGINX provides the option to configure a server as a catch-all with
<a href="http://nginx.org/en/docs/http/server_names.html">server_name</a>
for requests that do not match any of the configured server names.
This configuration works without out-of-the-box for HTTP traffic.
For HTTPS, a certificate is naturally required.</p>
<p>For this reason the Ingress controller provides the flag <code class="codehilite">--default-ssl-certificate</code>.
The secret referred to by this flag contains the default certificate to be used when
accessing the catch-all server.
If this flag is not provided NGINX will use a self-signed certificate.</p>
<p>For instance, if you have a TLS secret <code class="codehilite">foo-tls</code> in the <code class="codehilite">default</code> namespace,
add <code class="codehilite">--default-ssl-certificate=default/foo-tls</code> in the <code class="codehilite">nginx-controller</code> deployment.</p>
<h2 id="ssl-passthrough">SSL Passthrough<a class="headerlink" href="#ssl-passthrough" title="Permanent link">&para;</a></h2>
<p>The flag <code class="codehilite">--enable-ssl-passthrough</code> enables SSL passthrough feature.
By default this feature is disabled</p>
<p>The flag <code class="codehilite">--enable-ssl-passthrough</code> enables the SSL passthrough feature.
By default this feature is disabled.</p>
<p>This is required to enable passthrough backends in Ingress configurations.</p>
<p>TODO: Improve this documentation.</p>
<h2 id="http-strict-transport-security">HTTP Strict Transport Security<a class="headerlink" href="#http-strict-transport-security" title="Permanent link">&para;</a></h2>
<p>HTTP Strict Transport Security (HSTS) is an opt-in security enhancement specified through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.</p>
<p>By default the controller redirects (301) to HTTPS if there is a TLS Ingress rule.</p>
<p>To disable this behavior use <code class="codehilite">hsts: &quot;false&quot;</code> in the configuration ConfigMap.</p>
<p>HTTP Strict Transport Security (HSTS) is an opt-in security enhancement specified
through the use of a special response header. Once a supported browser receives
this header that browser will prevent any communications from being sent over
HTTP to the specified domain and will instead send all communications over HTTPS.</p>
<p>HSTS is enabled by default.</p>
<p>To disable this behavior use <code class="codehilite">hsts: &quot;false&quot;</code> in the configuration <a href="../nginx-configuration/configmap/">ConfigMap</a>.</p>
<h2 id="server-side-https-enforcement-through-redirect">Server-side HTTPS enforcement through redirect<a class="headerlink" href="#server-side-https-enforcement-through-redirect" title="Permanent link">&para;</a></h2>
<p>By default the controller redirects (301) to <code class="codehilite">HTTPS</code> if TLS is enabled for that ingress. If you want to disable that behavior globally, you can use <code class="codehilite">ssl-redirect: &quot;false&quot;</code> in the NGINX config map.</p>
<p>To configure this feature for specific ingress resources, you can use the <code class="codehilite">nginx.ingress.kubernetes.io/ssl-redirect: &quot;false&quot;</code> annotation in the particular resource.</p>
<p>When using SSL offloading outside of cluster (e.g. AWS ELB) it may be useful to enforce a redirect to <code class="codehilite">HTTPS</code> even when there is not TLS cert available. This can be achieved by using the <code class="codehilite">nginx.ingress.kubernetes.io/force-ssl-redirect: &quot;true&quot;</code> annotation in the particular resource.</p>
<p>By default the controller redirects HTTP clients to the HTTPS port
443 using a 308 Permanent Redirect response if TLS is enabled for that Ingress.</p>
<p>This can be disabled globally using <code class="codehilite">ssl-redirect: &quot;false&quot;</code> in the NGINX <a href="../nginx-configuration/configmap/">config map</a>,
or per-Ingress with the <code class="codehilite">nginx.ingress.kubernetes.io/ssl-redirect: &quot;false&quot;</code>
annotation in the particular resource.</p>
<div class="admonition tip">
<p class="admonition-title">Tip</p>
<p>When using SSL offloading outside of cluster (e.g. AWS ELB) it may be useful to enforce a
redirect to HTTPS even when there is no TLS certificate available.
This can be achieved by using the <code class="codehilite">nginx.ingress.kubernetes.io/force-ssl-redirect: &quot;true&quot;</code>
annotation in the particular resource.</p>
</div>
<h2 id="automated-certificate-management-with-kube-lego">Automated Certificate Management with Kube-Lego<a class="headerlink" href="#automated-certificate-management-with-kube-lego" title="Permanent link">&para;</a></h2>
<p><a href="https://github.com/jetstack/kube-lego">Kube-Lego</a> automatically requests missing or expired certificates from <a href="https://letsencrypt.org">Let's Encrypt</a> by monitoring ingress resources and their referenced secrets. To enable this for an ingress resource you have to add an annotation:</p>
<div class="admonition tip">
<p class="admonition-title">Tip</p>
<p>Kube-Lego has reached end-of-life and is being
replaced by <a href="https://github.com/jetstack/cert-manager/">cert-manager</a>.</p>
</div>
<p><a href="https://github.com/jetstack/kube-lego">Kube-Lego</a> automatically requests missing or expired certificates from <a href="https://letsencrypt.org">Let's Encrypt</a>
by monitoring ingress resources and their referenced secrets.</p>
<p>To enable this for an ingress resource you have to add an annotation:</p>
<div class="codehilite"><pre><span></span><span class="go">kubectl annotate ing ingress-demo kubernetes.io/tls-acme=&quot;true&quot;</span>
</pre></div>
<p>To setup Kube-Lego you can take a look at this <a href="https://github.com/jetstack/kube-lego/tree/master/examples">full example</a>. The first
version to fully support Kube-Lego is nginx Ingress controller 0.8.</p>
<p>To setup Kube-Lego you can take a look at this <a href="https://github.com/jetstack/kube-lego/tree/master/examples">full example</a>.
The first version to fully support Kube-Lego is Nginx Ingress controller 0.8.</p>
<h2 id="default-tls-version-and-ciphers">Default TLS Version and Ciphers<a class="headerlink" href="#default-tls-version-and-ciphers" title="Permanent link">&para;</a></h2>
<p>To provide the most secure baseline configuration possible, nginx-ingress defaults to using TLS 1.2 and a <a href="https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#ssl-ciphers">secure set of TLS ciphers</a></p>
<h2 id="legacy-tls">Legacy TLS<a class="headerlink" href="#legacy-tls" title="Permanent link">&para;</a></h2>
<p>The default configuration, though secure, does not support some older browsers and operating systems. For instance, 20% of Android phones in use today are not compatible with nginx-ingress's default configuration. To change this default behavior, use a <a href="https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#ssl-ciphers">ConfigMap</a>.</p>
<p>A sample ConfigMap to allow these older clients connect could look something like the following:</p>
<p>To provide the most secure baseline configuration possible,</p>
<p>nginx-ingress defaults to using TLS 1.2 only and a <a href="../nginx-configuration/configmap/#ssl-ciphers">secure set of TLS ciphers</a>.</p>
<h3 id="legacy-tls">Legacy TLS<a class="headerlink" href="#legacy-tls" title="Permanent link">&para;</a></h3>
<p>The default configuration, though secure, does not support some older browsers and operating systems.</p>
<p>For instance, TLS 1.1+ is only enabled by default from Android 5.0 on. At the time of writing,
May 2018, <a href="https://developer.android.com/about/dashboards/#Platform">approximately 15% of Android devices</a>
are not compatible with nginx-ingress's default configuration.</p>
<p>To change this default behavior, use a <a href="../nginx-configuration/configmap/">ConfigMap</a>.</p>
<p>A sample ConfigMap fragment to allow these older clients to connect could look something like the following:</p>
<div class="codehilite"><pre><span></span><span class="n">kind</span><span class="o">:</span> <span class="n">ConfigMap</span>
<span class="n">apiVersion</span><span class="o">:</span> <span class="n">v1</span>
<span class="n">metadata</span><span class="o">:</span>